The BOFH lives: 88% of IT workers would steal data if fired

A study conducted by security firm Cyber-Ark indicates that 88 percent of …

A study conducted by security company Cyber-Ark indicates that a significant number of corporate IT personnel snoop sensitive data, and nearly 9 out of 10 would take company secrets and remote access credentials with them if they were fired. This could pose a serious security risk for many companies and expose them to industrial espionage and other dangers.

The results of the Trust, Security and Passwords study are based on a survey of 300 system administrators at the Infosecurity 2008 event in Europe. Of the study respondents, 88 percent admitted they would take sensitive data with them when leaving their current place of employment, and approximately one-third said that they would abscond with company password lists. That could be a serious cause for concern for companies that have complex and loosely secured technological infrastructure.

Cyber-Ark claims that one-third of companies participating in the survey experience data breaches and theft on a regular basis. Information is leaked to competitors through a multitude of vectors, including e-mail, portable devices, and USB thumb drives. More than a quarter are also the victims of internal sabotage.

Many readers are undoubtedly familiar with Simon Travaglia's Bastard Operator From Hell (BOFH), the fictional confessions of a disgruntled system administrator who uses his technological expertise to manipulate his employer, destroy his enemies, and torture users on the company network. If Cyber-Ark's study reflects reality, then the insidious machinations of the BOFH might not be so far-fetched.

Can anything be done to stop the sky from falling? Cyber-Ark says that routinely changing company passwords will reduce the risk of damage if an employee with high-level access is fired.

"Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company," said Cyber-Ark CEO Udi Mokady in a statement. "Our advice is to secure these privileged passwords and identities, and routinely change and manage them so that if an employee's contract is terminated, whether voluntary or not, they can't maliciously wreak havoc inside the network or vindictively steal data for competitive or financial gain."

This isn't a foolproof solution, however. The study also shows that one-third of IT administrators write down passwords that provide access to critical systems on Post-it notes. In my own experiences working in IT, I've learned that forcing users to change their passwords at routine intervals generally encourages that sort of nonsense.

While it's worth noting that most studies published by commercial vendors are ultimately intended to drive sales of their products, the Cyber-Ark study highlights an important issue that CTOs and IT managers should think about when cutting IT staff loose.